PSD2 Final RTS: The Good, the Bad and the Ugly

Transcription

1 WHITEPAPER PSD2 Final RTS: The Good, the Bad and the Ugly The EBA s new final RTS on Strong Customer Authentication (SCA) and Secure Communications is an acceptable offering that seems to cover a lot of ground and will satisfy most, but ultimately leaves many unanswered questions. In a follow up to last year s Ten Key Points of the PSD2 Draft RTS, we review the final draft and re-visit our original feedback to see what s changed and what stays the same. 1. Banks to define their own interfaces GOOD. The RTS still offers no detailed standard for TPP APIs, and even avoids mentioning APIs at all. Interoperability is supposed to mysteriously emerge. Happily some industry groups (e.g. Berlin Group) have come together to define common standards, and the European Retail Payments Board (ERPB) has convened working groups to facilitate this process. It s up to the banks to define their own interfaces, but at least they will have some de-facto standards to base them on. Predictably, several organisations are springing up to offer meta-aggregation services. These act as a gateway to several banks by offering a single standard interface to Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). The meta-aggregator implements all the different interfaces to multiple banks, and handles the routing and conversion of messages between Third Party Providers (TPPs) and banks. This will make life easier for TPPs who will only need to implement a single interface and immediately get access to many banks. It could also help banks, as they would not have to directly support onboarding of TPPs (RTS Article 27.6 mandates banks to provide support, for connection and functional testing which could be a costly process if carried out for each individual TPP). This doesn t come free though the meta-aggregators are yet another hungry mouth to feed in an already extended value chain. PSPs need to evaluate the pros and cons of using such an intermediary. Complexity simplified

2 2. APIs, not screen scraping UGLY. Rationale 32 says that screen scraping will no longer be allowed, but something that looks a lot like screen scraping, and which suffers from most of the same security holes, is still allowed. The RTS clearly states that it is optional whether a bank should develop a dedicated interface for the exclusive use of TPPs (generally accepted, but not mandated, to be APIs). The alternative is to allow TPPs to use the same interface offered to and used by the banks customers (e.g. online banking). The latter sounds much like current screen-scraping solutions, but there are conditions. The interface must allow TPPs to identify themselves to the bank (27.1.a), and that identification must take the form of qualified certificates for electronic seals or website authentication (29.1) as defined in the EIDAS regulation 910/2014. A key difference between screen-scraping and other types of interface is whether the user enters their bank-provided security credentials on a bankprovided login, or a TPP-provided page. The RTS allows the latter, as it refers to personalised security credentials and of authentication codes transmitted by or through the TPP (27.3.c). This is bad news from a security point of view, as it is an open invitation to phishing, and introduces a technical break in end-to-end encryption that could be exploited. 3. Payment security up to the banks GOOD. The final RTS has less to say on this topic than the draft. The previous wording said that a PIS would only authenticate the customer (Payment Service User or PSU) in case of a prior contractual agreement between the PIS and the ASPSP, and that agreement would be outside the scope of PSD2. That wording has vanished, and Recital 14 now simply says that PIS Providers have the right to rely on the authentication procedures provided by the bank, and that In such cases, the authentication procedure will remain fully in the sphere of competence of the ASPSP. Having a right is not an obligation, and this implies that there are other cases where authentication does not rely on the ASPSP. Nevertheless, the RTS does not say anywhere that ASPSPs have a right to rely on the authentication procedure provided by a third party, so the onus is still on the ASPSP for authentication. Hence the other cases would require the ASPSP to agree bilaterally with a third party to rely on their credentials. In such cases, the third party would have to adhere to the conditions around SCA and associated credentials laid out in the RTS. Rationale 15 indicates that the payee s PSP has the option not to accept SCA which apparently refers to card acquirers accepting non chip-and-pin transactions, and is discussed further in Comment 2. It clarifies that in such cases, liability always rests with the payee s PSP.

3 4. Authentication codes UGLY. Article 4.1 states that the authentication code is generated based on two or more elements categorised as knowledge, possession and inherence, which is clear. But it goes on to state that The authentication code shall be accepted only once. This is fine for a single payment initiation, but Article 13.1 allows an exemption from SCA for a series of payment transactions with the same amount and the same payee presumably the authorisation code generated for the first payment in the series should be presented for each subsequent payment in the series? Likewise, for account information where an AISP can make up to 4 requests per day (31.5.b) for up to 90 days (10.2.b), presumably the original authorisation code must be presented for all subsequent accesses. Unfortunately, neither of these cases is compatible with the only once provision in 4.1. Article 5.1.c now specifies that any change in amount or payee shall invalidate the authentication code, which is a big improvement on the previous requirement to just change the authentication code, which was impossible to fulfil. It s worth noting that the Dynamic Linking of an authentication code covers the amount and payee, but not specific to the payment reference. So it would be quite possible to obtain an authentication code for a payment with one reference, then use it to execute a payment for the same amount and payee, but for a different reference. This could be abused, for example where the payee is a credit card company and the reference indicates the card account to be paid. The RTS only mentions Dynamic Linking for payment initiation, but it should also be required for consent to a specified set of parameters for AISP access accounts accesses, frequency of access, and so on. It would be best to consider Dynamic Linking as a binding of the payer s consent for transaction(s), be they a single payment, series of payments or an enduring consent to access data. 5. Exemptions from Strong Customer Authentication (SCA) GOOD. This is the area of the RTS that has changed most, and has become more practical. Changes include: For contactless card payments, the single transaction value is raised to 50, and the option to count five consecutive non-sca transactions has been added to provide balance to the previous impractical requirement to just accumulate payment values. A vital exemption is added for unattended transport and parking terminals has helpfully been included, but one should note in the TFL case, that the end amount is not known at the point of contactless exemption as the final billing is often calculated at the end of day based on all travel. No SCA is required for payments to trusted beneficiaries. Comment 79 also clarifies. The exemption for trusted beneficiaries only applies to payment transactions made on an online account by the payer. The PISP cannot create a list of trusted beneficiaries. The low value payment exemption is raised from 10 to 30, with a cumulative value of 100 or a cumulative count of five, aligned to the Contactless exemption. However, the biggest change is described in Article 16, where an exemption is offered subject to Transaction Risk Analysis (TRA). This is discussed further in the following section. In some circumstances there is a bootstrap problem. For example, before applying the whitelist exemption, the ASPSP would need a high level of

4 certainty that the purported payer is indeed who they claim to be. This would require some level of authentication of the payer but that s precisely what the exemption is trying to avoid! 6. Real Time Fraud Detection and Prevention GOOD. Whereas the previous draft mandated real time fraud detection to prevent, detect and block fraudulent payments, the final draft allows for a more nuanced risk analysis approach, with high risk transactions being blocked for suspected fraud, and low risk transactions potentially bypassing SCA. There is also a specific approach with clearer reporting and processing procedures. The final draft introduces exemptions from SCA based on Transaction Risk Analysis. The exemption applies to transactions assessed as low risk, with a value limit depending on the type of transaction (remote card or credit transfer), and the PSP s overall fraud rate, based on a rolling quarterly basis. If the transaction is determined to be low risk, SCA need not be applied by the ASPSP; however as in point 3, it is always their prerogative in the interests of protecting the customer, but would have to be recorded as the TPP may complain about unnecessary friction being added. The list of factors to be considered is quite extensive. Article 2 mandates lists of compromised or stolen authentication elements; the amount of each payment transaction; known fraud scenarios in the provision of payment services; signs of malware infection in any sessions of the authentication procedure. For the SCA exemption to apply, additional factors must be considered including the previous spending patterns of the individual payment service user; the payment transaction history of each of the payment service provider s payment service user; the location of the payer and of the payee at the time of the payment transaction. One interesting point is mentioned in Rationale 24, which says both payees and payers PSPs could trigger such an exemption under their own and exclusive responsibility but with the payer s PSP having the final say. This suggests that the payee s PSP can request SCA exemption (with an assumed liability accepted by the PSP), but the payer s ASPSP can over-ride this and still present the challenge for SCA. This exemption will be critical in delivering a frictionless customer experience, so PSPs that cannot meet the criteria will lose out to those that can. Real time risk assessment is not easy, so expect to see some vigorous competition and innovation in this space and various bi-lateral framework contracts on liability to be developed. 7. Sensitive Payment Data BAD. The final draft still says that ASPSPs must provide AIS with the same information from designated payment accounts and associated payment transactions made available to the payment service user when directly accessing the information, provided that this information does not include display of sensitive payment data. This wording raises a barrier to interoperability, as the information that banks currently make available to users varies widely, and banks may make different decisions about which data is sensitive and therefore must be redacted. Third parties will not be able to rely on a consistent set of data and services across all banks, but will have to adapt on a case by case basis, or settle for the lowest common denominator. Additionally, from our own experience PISPs may need some level of payment account information in the case of credit transfers to help a Payment Service User (PSU) select the correct account, for example based on available balance (as happens today with mobile banking). It is unclear whether ASPSPs can provide this information to PISPs, or whether PISPs must apply as AISPs as well to get the information. In any case, some banks are looking to carry out account selection within their own UI, following the application of SCA. This wouldn t be possible if the payment was exempt

5 from SCA. The lack of clarity in this area raises yet another barrier to interoperability. 8. Use of eidas authorities UGLY. The EBA has put aside its doubts and firmly mandated the use of Digital Certificates (of qualified certificates for electronic seals or website authentication, as the regulation would have it) issued under Regulation 910/2014, aka eidas. Several pieces of data are to be encoded in the certificate, including now a new TPP identifier as used on the register of PSPs in the organisation s home country, and an indicator of the role(s) of the TPP ASPSP, AISP, PISP, PII. There are several practical challenges associated with this decision. Firstly, no process or mechanism is set out in this RTS (or elsewhere) linking the revocation of authorisation of a PSP under Article 13 or precautionary measures under Article 30 to revocation of the Digital Certificate. This means that in principle, ASPSPs must carry out two checks whenever they are presented with a Digital Certificate: the standard OCSP certificate revocation check to the QTSP, and then another check against the home member state competent authority Public Register to ensure they are still authorised, with what role authorisations, and whether the TPP has been given passported authorisation to access services in the ASPSP s home member state. Additionally, the RTS does not set out a standard as to how and where in the Digital Certificate the new additional attributes (Role, Competent Authorities) should be stored. In the absence of a common standard across all member states, it will be a major challenge to extract and interpret the information in the certificate. Again it is left to the industry or a European standardisation initiative to agree this and produce a clear process and structure for Competent Authorities, QTSPs, TPPs and ASPSPs to interoperate securely and seamlessly across the EU. 9. Card Not Present requires Strong Customer Authentication GOOD. Unless a card transaction falls under one of the exemptions, it must go through SCA. This could mean a 3D-Secure type process, but using two factors instead of the double knowledge factor(s) (e.g. Password + Date of Birth) being used by most banks currently. Vendors have rushed out solutions such as Dynamic CVV, where the CVV on the card changes regularly. Using this as one of the SCA components proves Possession, which along with Knowledge satisfies the two factor requirement. The main exemption that might apply would be the Transaction Risk Analysis (TRA), which could potentially bypass SCA for companies whose transactions are mainly below the applicable TRA limit ( 100, 250 or 500 depending on the PSP s historical fraud rate). 3-D Secure 2.0 should be able to meet these requirements. As well as browser-based payments, it will also support in-app, mobile, and digital wallet payments. It will support token-based and biometric authentication instead of static passwords, and will carry additional data such as device profile to support risk-based decisions and allow possible TRA-based bypass of SCA.

6 10. Trusted Execution Environments for Multi-Purpose Devices BAD. This section deals with the security of mobile phones and similar devices. It seems like the EBA has caved into pressure from the industry lobbying and has now taken a retrograde step. Instead of the well-defined term Trusted Execution Environment it is using the term Secure Execution Environment which has no current industry definition and allows any vendor to claim compliance. From our knowledge, there are still effectively only three ways to provide for 2FA possession element on a multi-purpose device: 1. Trusted Execution Environment the gold standard for security and convenience, however many phones will not be enabled for this. Also, Apple aren t the most open of providers when it comes to their phones. 2. IMEI/USIM/ICCID/IMSI combination which will cover all other non-tee enabled phones. Put simply, if you could hack the ICCID today, we d all be making free calls and data. This method has definitely proven robust in the real world. 3. Whitebox Crypto in an App this is the least desirable and lacks sufficient market exposure to provide confidence. Also susceptible to OS issues, malware and other software based attack that the previous two options would not have. An ASPSP would also have to ensure that the PSU was keeping the relevant software(s) and OS on their phone updated, much in the way we re always being pushed to download Rapport/Trusteer on the web, but invitations to download software can actually be vectors for malware infection. Given the EBA s difficuly in clearly defining an acceptable standard in this area, it will be interesting to see how ASPSP security officers deal with this in the coming years. In the meantime it s a case of buyer beware. From theory to practice It s one thing to discuss the RTS, but how will it work in the real world? Icon Solutions have put together a demonstration of how merchants, PISPs and ASPSPs can interact using web screens, APIs and back office systems to support e-commerce according to the final RTS. If you would like to see the demonstration for yourself, please contact Icon using the details below and we will be delighted to arrange a convenient time. If you would like to learn more about how Icon help your organisation with any specific PSD2 or payment challenges, please contact; Tom Hay, Head of Payments at Icon Solutions tom.hay@iconsolutions.com, uk.linkedin.com/in/tomhay To find out more iconsolutions.com PSD2@iconsolutions.com